Obsidian is a real-time threat intelligence platform built for regulated industries. From the moment a session opens, Obsidian is watching — correlating signals, surfacing threats, and protecting your platform against fraud, account abuse, and cross-operator bad actors.
Obsidian addresses the structural fraud problems that exist regardless of industry — then layers sector-specific intelligence on top.
When a customer opens an account, initiates a transaction, or requests a service, your team acts on incomplete information. Static snapshots cannot reflect the dynamic, evolving nature of organised threat actors.
Threshold-based fraud systems are reactive by design. Bad actors probe for limits, identify the boundaries, and engineer around them systematically. Rigid rules create a predictable, exploitable attack surface.
Analysts spend hours stitching together session logs, device lookups, and account history by hand. Every hour spent investigating is an hour your platform remains exposed. Speed is not a luxury — it is leverage.
Individuals flagged by one institution move freely to the next. Without shared intelligence — processed under a Legitimate Interest basis consistent with credit reference agencies and fraud consortia — every organisation starts from zero against the same actors.
The fraud landscape has evolved faster than the tools built to stop it. Most operators are operating blind, or reacting too late.
Multiple accounts created to exploit promotional mechanics drain marketing budgets and skew acquisition economics. Without cross-registration device and browser intelligence, every registration appears legitimate at the point of signup.
The same individual operates multiple accounts for peer-game collusion, gnoming, or repeated bonus extraction. Cross-entity graph linkage — across devices, browser fingerprints, and email addresses — is the only reliable detection mechanism.
Gambling platforms are targeted for placement and layering of illicit funds. IP intelligence — TOR, VPN, datacenter ranges, bad ASNs — combined with cross-operator identity signals surfaces laundering patterns that transactional monitoring alone cannot detect.
UKGC, MGA, and 6AMLD obligations require operators to identify at-risk players, trigger enhanced due diligence, and report suspicious activity. Without real-time signal intelligence, compliance obligations cannot be adequately discharged.
APP fraud, synthetic identity, and mule networks are now the defining fraud challenges for UK financial services — and they are cross-institutional by design.
£1.17bn was stolen through fraud in the UK in 2024 (UK Finance). Authorised Push Payment fraud and mule account infrastructure are cross-institutional by design — single-institution controls can only ever see part of the picture.
AI-generated synthetic identities combine real and fabricated data to pass traditional KYC checks. Pattern recognition across devices, email addresses, and IP ranges surfaces inconsistencies that single-point document verification cannot detect.
Compromised credentials and deepfake-assisted social engineering are enabling sophisticated account takeover at scale. Device fingerprint changes, impossible travel, and browser anomaly signals detect access anomalies that passwords alone cannot surface.
Fraud and AML teams operating independently means the same mule network can be visible to one function and invisible to the other. Converged entity intelligence — linking accounts, devices, and IPs across the customer lifecycle — closes the gap.
£1.16bn in fraudulent claims was detected in the UK in 2024 (ABI). Organised rings and opportunistic fraudsters both rely on identity manipulation that Obsidian's signals surface.
98,400+ fraudulent claims were detected in 2024, up 12% on 2023 (ABI). From exaggerated losses to entirely fabricated incidents, claims fraud depends on identity manipulation and false documentation — both addressable through entity intelligence at point of claim.
False information at point of application inflates losses and undermines underwriting integrity. Email, device, and IP signals detect fabricated or stolen identities before policies are issued — stopping losses before they begin.
Criminal intermediaries use false or stolen identities to obtain, manipulate, and resell policies. Cross-entity identity signals detect the reuse patterns — the same device, email address, or IP range across multiple policy applications — that ghost brokers depend on.
Crash-for-cash and staged incident rings submit claims simultaneously across multiple insurers. Cross-operator intelligence is the only mechanism that exposes the network — not just the individual incident — enabling insurers to act on the ring, not just the claim.
Obsidian layers real-time session telemetry, device fingerprinting, and network intelligence into a continuously enriched graph — so your decisions are always informed by the full picture.
The moment a session begins, Obsidian captures TLS ClientHello data for JA4+ fingerprinting before the WAF, collects browser and device telemetry via fps.js, and begins graph-based enrichment — all before your platform has served a single page.
Amazon Neptune stores the relationships between sessions, devices, browsers, IPs, email addresses, and usernames. Confidence levels scale with graph connection density — not just individual attributes.
Subscriptions deliver webhook updates as intelligence evolves. When a user account's risk profile changes — because a linked IP is later flagged, or a connected device surfaces elsewhere — your platform is notified immediately.
Session binding mismatches return HTTP 200 with a directive: continue response — indistinguishable from success. Attackers cannot probe the system to discover detection thresholds.
Obsidian signals map directly to the regulatory requirements your compliance, risk, and AML teams are accountable for. Select your sector to see the relevant framework.
Credential stuffing, phishing, and social engineering to access legitimate accounts. Detected via impossible travel, new device or IP for a known account, JA4+ fingerprint changes, and automation signals.
Fabricated or manipulated identities combining real and false data to open accounts. Flagged via email breach correlations, temporary domain patterns, and cross-entity registration anomalies.
Using stolen or fabricated identity to open accounts or apply for credit. Cross-entity device and email signals surface repeated application patterns across institutions using different identities.
Recruited or compromised accounts used to receive and move illicit funds. IP intelligence, device sharing across accounts, and unusual behaviour patterns identify mule infrastructure before funds move.
Automated use of stolen username/password pairs to compromise accounts. JA4+ TLS fingerprinting, typing cadence anomalies, and browser automation signals detect bot-driven credential attacks.
Legitimate customers misrepresenting circumstances or disputing genuine transactions. Behaviour anomalies, cross-entity history, and device linkage across disputes surface deliberate misrepresentation.
Multiple accounts created to claim promotions repeatedly. Detected via device sharing across registrations, browser fingerprint reuse, and email address patterns.
Same individual operating multiple accounts, including peer-game collusion. Cross-entity graph linkage surfaces shared devices, browser fingerprints, and email relationships across accounts.
Credential stuffing, phishing, or brute force against established accounts. Detected via impossible travel, new device/IP for a known account, JA4+ fingerprint mismatch, and automation signals.
Fabricated or manipulated identities used to open accounts. Flagged via email breach correlations, likely-temporary email domain patterns, and cross-entity registration anomalies.
Accounts used to receive and move illicit funds through gaming activity. IP intelligence (TOR, VPN, datacenter), cross-operator identity linkage, and behavioural anomalies surface layering patterns.
Scripts and AI-driven bots simulating human play for exploitation. JA4+ TLS fingerprinting, automation detection, suspicious typing cadence, and browser anomaly signals fire in combination.
Customers deceived into authorising transfers to fraudster-controlled accounts. Behaviour anomalies, device changes during high-value sessions, and known fraudulent IP ranges signal APP fraud in progress.
Credential stuffing, SIM-swap, and social engineering to access legitimate accounts. New device or IP for a known customer, impossible travel, and JA4+ fingerprint mismatches are primary detection signals.
AI-generated identities combining real and fabricated data to pass KYC at onboarding. Cross-entity signals surface inconsistencies across multiple application attempts using the same underlying infrastructure.
Recruited or compromised accounts used to receive and layer illicit funds. Device and IP sharing across multiple accounts, unusual onboarding patterns, and cross-institution identity signals identify mule infrastructure.
Stolen or fabricated identity used to apply for credit, loans, or accounts. Cross-entity graph signals surface repeated application attempts across institutions using the same device or email infrastructure.
Legitimate customers misrepresenting circumstances or disputing genuine transactions. Behaviour anomalies and cross-entity account history flag deliberate misrepresentation patterns.
False or stolen identity used at point of quote to obtain policies or reduce premiums. Device and email cross-entity signals detect fabricated or reused application infrastructure before policies are issued.
Deliberately inflated or fabricated claims submitted after a policy is taken out. Cross-entity claimant history, device linkage across multiple claims, and submission behaviour anomalies surface both opportunistic and organised fraud.
Deliberately staged or induced road traffic incidents for financial gain. Cross-insurer identity signals identify individuals and networks with prior staged incident history invisible to single-insurer view.
Criminal intermediaries using false or stolen identities to obtain and resell manipulated policies. The same device, email domain, or IP range across multiple policy applications is the defining signal.
Misrepresenting the main driver or policyholder to reduce premiums. Cross-entity account and device linkage surfaces the relationships between the named proposer and the actual primary user that manual checks miss.
Coordinated criminal networks submitting claims across multiple insurers simultaneously. Cross-operator intelligence exposes the network — shared devices, IP ranges, and identity clusters — enabling action on the ring, not just the claim.
Suspicious Activity Reporting. The Proceeds of Crime Act requires reporting of suspected money laundering. Obsidian's real-time signals and audit trail create the evidence base needed for timely, legally defensible SAR filing.
Legitimate Interest Processing. Cross-entity fraud prevention data sharing is processed under Art. 6(1)(f) UK GDPR — consistent with ICO guidance and analogous to the legal basis used by CIFAS and credit reference agencies. A Legitimate Interest Assessment (LIA) is available on request.
Extended Predicate Offences. Obsidian's network intelligence — linking accounts, devices, and IPs across operators — supports fraud and money laundering detection obligations under the Sixth Anti-Money Laundering Directive.
Failure to Prevent Fraud (in force Sep 2025). Large organisations must demonstrate "reasonable procedures" to prevent fraud. Obsidian's real-time signals, audit trail, and cross-entity intelligence form part of a defensible fraud prevention framework.
SR Code 3.4.1 — Safer Gambling. Identification of customers displaying indicators of harm. Obsidian's behavioural, automation, and impossible travel signals provide data points for at-risk player identification obligations.
LC 12.1.1 — AML & KYC. Customer due diligence triggers and source of funds checks. IP intelligence, cross-entity account linking, and email breach data support enhanced due diligence decisions and ongoing monitoring obligations.
AML/CFT Implementing Procedures. The MGA's player due diligence and transaction monitoring requirements are addressed by Obsidian's cross-entity graph, IP risk classification, and real-time behavioural signals.
Extended Predicate Offences. Obsidian's network intelligence — linking accounts, devices, and IPs across operators — supports the fraud and money laundering detection obligations under the Sixth Anti-Money Laundering Directive.
Financial Crime Systems & Controls. FCA-regulated firms must maintain adequate systems to detect and prevent financial crime. Obsidian's entity graph and real-time signals form part of a defensible financial crime control framework consistent with FCA expectations.
APP Fraud Mandatory Reimbursement (in force Oct 2024). The PSR's reimbursement rules require firms to demonstrate fraud detection capability. Obsidian's real-time signals and audit trail support both detection obligations and the evidence required for reimbursement decisions.
Suspicious Activity Reporting. SAR obligations under the Proceeds of Crime Act require timely reporting and defensible reasoning. Obsidian's full audit log of signals raised against a customer record supports both the SAR and any subsequent investigation.
FRAML Convergence. Fraud and AML typologies increasingly overlap. Obsidian's unified entity intelligence addresses both disciplines — cross-entity account linkage surfaces mule networks for both fraud and AML purposes simultaneously.
Insurance Conduct of Business — Customer Due Diligence. FCA ICOBS 2.5 requires firms to take reasonable care regarding the identity of customers. Obsidian's signals support identity verification at point of quote, inception, and claim.
Duty of Fair Presentation. Insurers must understand the risk being underwritten. Obsidian's application fraud signals — detecting false identity and misrepresentation at point of quote — directly support the underwriting due diligence required under the Act.
Proceeds of Crime Reporting. Insurance fraud proceeds are frequently laundered through legitimate claims. SAR obligations apply and Obsidian's cross-entity intelligence and audit trail support both detection and reporting obligations.
Industry Intelligence Sharing. The Insurance Fraud Bureau and IFED expect insurers to actively detect and share intelligence on organised fraud rings. Obsidian's cross-operator graph provides the network-level intelligence that individual insurer systems cannot produce alone.
These figures apply across sectors. Select a tab above to see sector-specific data.
These are not projections. iGaming fraud is accelerating, regulators are enforcing, and operators without intelligence infrastructure are exposed.
Fraud now represents a systemic risk to UK financial services. Regulators are actively enforcing, and the burden of proof has shifted to firms.
Fraudulent claims exceed £1 billion for the second consecutive year. Detection remains the industry's primary challenge — and cross-operator intelligence the primary gap.
Every architectural decision — from pre-WAF TLS capture to silent mismatch responses — is made to maximise detection capability and minimise attacker feedback.
The ingestion container sits in front of the AWS WAF specifically to capture raw, unproxied TLS ClientHello data. A lightweight Alpine Linux / C# Fargate container with minimal surface area handles input validation and fingerprint calculation exclusively — the only point at which a true JA4+ fingerprint can be computed.
pre-WAF · Fargate · Alpine · C#/.NETAmazon Neptune stores the full entity relationship graph. Confidence levels are derived from graph connection density — not isolated attributes. Cross-entity correlation is the core enrichment mechanism, enabling signals that no single data point could produce alone.
Amazon Neptune · Graph DB · eu-west-2Intelligence enrichment is driven by Kafka. Two trigger patterns — Session URN events and User Account link events — power all 23 enrichment rules. New sessions trigger immediate enrichment; new user account associations trigger cross-entity re-evaluation. The pipeline operates continuously, not in batch.
Kafka · event-driven · 2 trigger patternsL3 firewall, TLS 1.3 minimum, ASP.NET Core middleware pipeline, JWT with asymmetric signing (RS256/ES256) and short TTLs, IP-based sliding window rate limiting, and an API key to short-lived access token flow. The operator API key never reaches the browser.
JWT RS256/ES256 · TLS 1.3 · Rate LimitingA dedicated ingestion service continuously maintains DynamoDB tables for Bad IPs, VPN IPs, TOR exit nodes, datacentre IP ranges, and bad ASNs. Five ingestion rules run independently — BadIP, BadASN, DataCentreRange, VPNIP, and TORExitNodeIP — each extending a common abstract IngestionRule base class.
DynamoDB · 5 ingestion rules · C#/.NETIntelligence updates are delivered to your registered endpoint within 30 seconds of enrichment completion over TLS 1.3. Failed deliveries trigger automatic retry with three attempts and exponential backoff, with dead-letter logging for manual review. Subscription durations of 1, 30, 180, and 365 days are supported.
Webhook · 3× retry · exponential backoffObsidian is a third-party platform processing your player data. We expect to be scrutinised. Here is what you need to know before your security and legal teams ask.
Firesand holds ISO 27001 certification, extending to cover the Obsidian platform and its data processing operations. Independently audited annually.
Cyber Essentials Plus certification extends to Obsidian, demonstrating verified technical controls against common cyber attack vectors.
The Obsidian platform undergoes independent penetration testing on a defined schedule. Test reports are available to enterprise clients under NDA.
Built on AWS Lambda, Neptune, DynamoDB, and Kafka in eu-west-2 with multi-availability-zone deployment. No single point of failure in the critical enrichment path.
Operators are notified within 30 minutes of a confirmed platform incident, with status updates throughout resolution.
Legitimate Interest (Art. 6(1)(f) UK GDPR). The processing of player data for cross-operator fraud prevention is analogous to the legal basis used by established financial-sector fraud consortia and credit reference agencies. A Legitimate Interest Assessment (LIA) has been conducted and is available to operators on request.
All data processed and stored in eu-west-2 (London) by default. US operators may request US-region deployment. Session data is retained for 13 months. Intelligence graph data uses a rolling 5-year window. Encrypted AES-256 at rest; TLS 1.3 in transit.
A Data Processing Agreement (DPA) is in place with all operators prior to go-live. Operators remain the data controller. Right to erasure requests are processed within 30 days. Full audit log of all signals raised against a player record is available on request for regulatory or legal purposes.
Obsidian integrates with your existing stack with minimal friction. A full sandbox environment is available from day one of your integration. The REST API is versioned, documented, and stable.
Add the Firesand script to your front-end. It fires on page load, collects browser telemetry, and binds to a client-supplied interactionID if provided in the query string — or obtains a Firesand-generated session ID.
On registration or first deposit, call PUT /api/v1/threat-intelligence/useraccount with the user's email and/or username. Receive a User Account URI.
Call POST /api/v1/threat-intelligence/link-session to associate the current session with the user account. This triggers cross-entity enrichment across the graph.
Subscribe via PUT /api/v1/threat-intelligence/subscribe with your webhook URI. Initial intelligence is returned immediately; ongoing updates are pushed automatically as risk profiles evolve.
// Step 1: fps.js loads on page open // GET /fps.js?interactionid=<X>&cid=<Y> // Step 2: Register user account (server-side) const account = await fetch( '/api/v1/threat-intelligence/useraccount', { method: 'PUT', headers: { 'Authorization': `Bearer ${token}` }, body: JSON.stringify({ email: 'user@example.com', username: 'player42' }) }); const { userAccountURI } = await account.json(); // Step 3: Link session to account await fetch('/api/v1/threat-intelligence/link-session', { method: 'POST', body: JSON.stringify({ userAccount: userAccountURI, session: sessionID // from fps.js }) }); // Step 4: Subscribe for ongoing intelligence await fetch('/api/v1/threat-intelligence/subscribe', { method: 'PUT', body: JSON.stringify({ userAccount: userAccountURI, days: 30, webhook: 'https://your-platform.com/intel-hook' }) }); // Delivered immediately + on every update
Stable versioned API at /api/v1/. Breaking changes require a minimum 6-month deprecation notice. OpenAPI spec available.
Full-featured test environment with sandbox API keys and synthetic data available to all clients from the start of integration.
Default: 1,000 req/min per API key. Burst to 5,000 req/min supported. Enterprise tiers available. Rate limit headers returned on every response.
Whether you need continuous monitoring for your full player base or on-demand intelligence for specific investigations, Obsidian has a model that fits.
Continuous, real-time intelligence monitoring for your player base. Includes webhook delivery, live graph enrichment, and ongoing signal updates for the subscription duration.
On-demand intelligence queries for specific user accounts or sessions. Ideal for investigations, onboarding checks, or supplementing an existing fraud stack with enriched graph intelligence.
Talk to the Firesand team. We'll walk you through a live demo using your environment, and answer your compliance and security questions directly.